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Interface specifications play an important role in component-based software development. An inter- 
face theory is a formal framework supporting composition, refinement and compatibility of interface 
specifications. We present different interface theories which use modal I/O-transition systems as 
their underlying domain for interface specifications: synchronous interface theories, which employ a 
synchronous communication schema, as well as a novel interface theory for asynchronous commu- 
nication where components communicate via FIFO-buffers. 

1 Introduction 

The idea of an interface theory is to capture basic requirements that any formalism should obey which is 
intended to support the design of components and component systems. Since system development usu- 
ally concerns two dimensions, a horizontal dimension where larger components are built from smaller 
ones, and a vertical dimension, where interface specifications are successively refined (and finally imple- 
mented), an interface theory requires concepts of composition, refinement and compatibility. Of course, 
it is important that the different dimensions of system development fit properly together Therefore an 
interface theory requires (at least) that refinement is preserved by composition and that compatibility of 
interfaces is preserved by refinement, which is needed for independent implementability and reusability 
of components. 

A formal notion of an interface theory was, to our knowledge, first proposed by de Alfaro and Hen- 
zinger in O. In their work, an interface theory consists of an interface algebra together with a component 
algebra thus distinguishing between interface specifications and component implementations. Later, in 
l3l , the authors have introduced the term interface language which simplifies the approach by consid- 
ering just interfaces with the requirements that incremental design and independent implementabihty 
is possible. Interface theory and interface language are abstract concepts which can be instantiated by 
concrete formalisms. The (abstract) notion of an interface theory we shall use hereafter is close to an in- 
terface language but further simplified by concentrating on the two rudimentary requirements mentioned 
above which guarantee independent implementability and which we want to study for particular interface 
theories supporting synchronous as well as asynchronous composition. 

All interface theories studied in this work use modal I/O-transition systems (MIOs), introduced by 
Larsen et al. ifTTl . ifTlll . as underlying formalism for interface specifications. MIOs are well suited to 
describe behavioural properties of reactive components. They allow to distinguish between transitions 
which are optional or mandatory for refinements and thus support loose specification and stepwise devel- 
opment. We first summarize our previous work on interface theories @ which was based on synchronous 
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composition of MIOs. We discuss strong and weak versions of refinement and compatibility and we 
sliow tliat botii versions lead to an interface theory. Then we extend our previous work and consider 
asynchronous composition of MIOs which communicate via output queues. We introduce the notion of 
asynchronous compatibility which requires that each message put in the output queue of a MIO must 
eventually be taken by its communication partner which is related to the requirement of specified recep- 
tion in communicating finite state machines [8|. We show that MIOs with asynchronous composition, 
asynchronous compatibility and weak refinement form again an interface theory. Finally, we discuss 
possibilities for verification and further directions of our work. 

2 Interface Theories for MIOs with Synchronous Composition 

In our study the abstract concept of an interface theory defines rudimentary properties that should be 
satisfied by any formal framework for interface specifications. Given a class £/ of interface specifica- 
tions, an interface theory includes a partial composition operator to combine specifications to larger 
ones. The composition operator is, in general, partial since it is not always syntactically meaningful to 
compose specifications. Interface specifications for which the composition is defined are called com- 
posable. Additionally, an interface theory must offer a refinement relation < to relate "concrete" and 
"abstract" specifications, and a compatibility relation «^ to express when two interface specifications 
describe components which can work properly together. In contrast to (syntactic) composability, com- 
patibility has a semantic flavour related to the behaviour of components. To obtain an interface theory, 
three requirements must be satisfied. Obviously, compatible specifications must be syntactically com- 
posable. Moreover, refinement must be compositional in the sense that it must be preserved by the 
composition operator and, third, compatibility must be preserved by refinement. 

Definition 1 (Interface Theory). An interface theory is a tuple (8',<,<^) consisting of a class 
of interface specifications, a partial composition operator (8> : i?/ x — )• , a reflexive and transitive 
refinement relation < C j?/ x ^Z, and a symmetric compatibility relation «^ C x si , such that the 
following conditions are satisfied. Let S,S', T,T' £ £/ be interfaces. 

(1) (Compatibility implies composability) IfS^T then SCi^T is defined. 

(2) (Compositional refinement) If S' < S and T' <T and S (>S>T is defined, then S' (g) T' is defined and 
S'(g)T' <S(g)T. 

(3) (Preservation of compatibility) IfS^T and S' < S and T' < T, then S' ^ T'. 

Obviously, in a top-down design, the requirements for an interface theory expressed by conditions 
(1) to (3) support independent development of components and thus independent implementability in 
the sense of Q. To a certain extent an interface theory supports also bottom-up design, where existing 
components can be reused as parts of a larger system architecture, as long as local refinements are correct 
and local interfaces fit into the context. 

In the following we will study particular interface theories which all use modal I/O-transition sys- 
tems (MIOs) as their underlying formalism for interface specifications. Modal I/O-transition systems 
have been introduced by Larsen et al. ffTTl . |[T2l as a formalism to describe the behaviour of reactive, 
concurrent components. MIOs distinguish between may- and must-transitions, where the former model 
allowed behaviour, which may or may not be present in a refinement, whereas the latter model required 
behaviour to be preserved by any refinement. Thus MIOs support loose specifications and flexible no- 
tions of refinement. 
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Definition 2 (MIO). A modal I/O-transition system (MIO) S = {states s, starts, act s,---^^ , — >g) consists 
of a set of states statess, an initial state starts G statess, a set acts of actions being the disjoint union 
of sets ins, outs and ints of input, output and internal actions resp., a may-transition relation ---^^ ^ 
statess ^ '^cts x statess, and a must-transition relation — >^ C - - , i.e. every required transition is also 
allowed. The set acts of actions together with its partition into input, output and internal actions is called 
the signature ofS. 

As usual, we write i---*^/ instead of {s,a,s') G --'>s' ^'^^ similarly for must-transitions. A state 

at) a I "n-i 

s G statess of S is called reachable if there exist may-transitions — ^s^^~~^s ■ • • '"^s^"' " — 0' 
that s„ = s. The class of modal I/O-transition systems is denoted by It provides the underlying 
domain of specifications for all interface theories considered in the following. 

Two MIOs 5, r G ^ are (syntactically) composable if their actions only overlap on complementary 
types, i.e. acts H actj ^ {ins H outj) U {inj H outs). The set of shared actions acts H actT is denoted 
by shared{S,T). The synchronous composition of two composable MIOs S and T is defined as the 
usual product of transition systems with synchronization on shared actions which become internal in the 
product. A synchronization transition in the composition is a must-transition only if both of the single 
synchronized transitions were must-transitions. 

Definition 3 (Synchronous composition). Let S,T £ ^ be two composable MIOs. The synchronous 
composition of 5 and T is the MIO S®sy T = {statess x statesj, {starts, start j), act, , — > ) where the 
action alphabet act is the disjoint union of the input actions {ins U i^j) \ shared{S, T), the output actions 
{outs U outj) \ shared{S, T), and the internal actions ints U i^tj U shared{S, T). The transition relations 
are the smallest relations satisfying: 

• for all a G shared{S, T), 

— if s--'f^s' andt--'fjt' , then {s,t)--'f {s',t'), 

— if s-^^s' and t-^jt' , then {s,t)-^{s/ ,t'), 

• for all a G acts \ shared{S, T), 

— if s---^^s', then {s,t)---^ {s' ,t) for all t G statesj, 

— ifs-^^s', then {s ,t)-^ {s' ,t) for all t G statesj, 

• for all a G actT \ shared{S, T), 

— ift--'>jt', then {s,t)--'> {s,t') for all s £ statess, 

— ift-^jt', then {s,t)-^{s,t')for all s G statess. 

The basic idea of modal refinement is that required {must) transitions of an abstract specification 
must also occur in the concrete specification. Conversely, allowed {may) transitions of the concrete spec- 
ification must be allowed by the abstract specification. We distinguish between strong modal refinement, 
due to |[T2]| and denoted by <,„, and weak modal refinement, due to ||9l and denoted by <*,, which are 
both defined in terms of a simulation relation. While in the strong case every transition must be simu- 
lated "immediately", weak refinement allows to abstract from transitions with internal actions. We only 
review the formal definition of the latter here. In the following, the successive execution of arbitrarily 
many internal must-transitions is denoted by — ^* , and similarly for may-transitions. 

Definition 4 (Weak modal refinement). Let S and T be MIOs with the same signature. S weakly modally 
refines T, written S <^ T, if there exists a relation R C statess x states j containing {starts, start j) such 
that for all {s,t) £R: 
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(1) yaGinrUoutT : t-^j.t' ^3 s^p-^^s^p' A{s' ,t') £ R, 

(2) Va G intT : t-^^t' =^ 3 s^P' A {s',t') G R, 

(3) \/a £ insUoutj- : s---^^s' ^^3t--'>^t---^j,t---^^t' A{s',t') €R, 

(4) Ma^ints: i'--^^/ =^ 3 f--^* A S /?. 

In conditions (2) and (4), a is an internal action which must be simulated by a sequence of arbitrarily 
many internal actions (denoted by — > resp.). This sequence may be empty but the important 

point is that the original transition with a must stay in the relation R. 

Our notion of strong modal compatibility is inspired by |3] and JTll . Two MIOs S and T are strongly 
modally compatible, denoted by S '^sc T, if they are composable and if for each reachable state {s,t) in 
the composition S^sy T, if S may send out in state s an action shared with T, then T must be able to 
receive it in state t, and conversely. The difference to [3] and [11] is that we consider the "pessimistic" 
case, where MIOs should work properly together in any composable environment while the "optimistic" 
approach, pursued in ||3l and ITTI . requires the existence of a (helpful) environment; for a discussion 
see ID. 

Strong modal refinement is compositional w.r.t. the synchronous product fTT\ and preserves strong 
modal compatibility [6|. Thus we obtain a first interface theory. The detailed proof can be found in IITll . 

Theorem 1. (^^y, <„,, ^sc) cin interface theory. 

Weak modal refinement, however, does not preserve strong modal compatibility due to the possible 
insertion of internal transitions in the refinement; see [6] for a counterexample. Therefore, we have intro- 
duced in f6l a weak version of compatibility such that a communication partner can delay the reception 
of a message by performing some internal must-transitions before. 

Definition 5 (Weak modal compatibility). Two MIOs S and T are weakly modally compatible, denoted 
by S i^wc T, if they are composable and if for all reachable states {s,t) in S T, 

(1) ya & outsHinr '. s---^^s' ^^3t t-^jt', 

(2) ya outj nins '. t--^j.t' ^^3 s ^^*^s-^^s'. 

Since weak modal refinement is compositional w.r.t. the synchronous product f9] and preserves weak 
modal compatibility [6| we obtain a second interface theory. For a detailed proof see again [7J. 

Theorem 2. (.^, (gi^-y, <*„j,^wc) is an interface theory. 

All kinds of refinement and synchronous compatibility notions considered here are decidable for 
finite MIOs and can be efficiently computed in time polynomial in the size of the MIOs. For further vari- 
ants of interface theories with synchronous composition and for an introduction of the MIO Workbench 
for refinement and compatibility checking see ||6l. 

3 An Interface Theory for MIOs with Asynchronous Composition 

In distributed applications, implemented, for instance, with a message-oriented middleware, usually an 
asynchronous communication pattern is used. To obtain an interface theory for this kind of systems 
we change the composition operator and focus on components which communicate via FIFO-buffered 
message queues. In Fig.[T]two asynchronously communicating MIOs S and T are schematically depicted: 
S sends a message « to T by putting it into a queue which stores the outputs of S, and then T can receive 
n by removing n from the queue. Obviously, there is a delay between sending and reception. Similarly, 
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out — {m} 
T 

in — {n} 



Figure 1 : Asynchronously communicating MIOs 



in = {tn} ^ '^^ 

out = {n^} — 



in = {n'^} out = {n} 



Figure 2: MIO with output queue 



T can send a message m to 5 by using a second queue which stores the outputs of T. Technically, 
we enhance MIOs by output queues which are themselves modelled as MIOs. Given a MIO S and a 
distinguished subset o C out of the output actions of S, the MIO S "with output queue for the messages 
in o" is modelled by the synchronous product of a renamed version of S (where all « G o are renamed 
to n^) and the "queue MIO" Qo which is able to store messages of o. Fig. |2] shows the idea of this 
construction where 5^^ denotes the renamed version of S. 

Definition 6 (MIO with output queue). Given a set o of output actions, the queue MIO for o is Qo = 

{o* ,£,act, , — ?• ) where the set of states o* is the set of all finite strings over o, the initial state £ £ o* 
is the empty string, and the set of actions act is the disjoint union of input actions in = {n^ \ n£o}, output 
actions out = o and with no internal action. Moreover, = — > and the must-transition relation — > 
is the smallest relation such that 

• for all n^ G in and states s € o* : s — >ns, 

• for all n G out (= o) and states s E o* : sn-^s. 

Given a MIO S with actions acts = ins U outs U ints and a distinguished set o C outs of output actions, the 
MIO S with output queue for o is given by the synchronous product ^^(S) = ®sy Qo (where denotes 
the renamed version ofS where allnGo are renamed to n^). Obviously, the product is well-defined since 
and Qo are composable. 

By the rules of synchronous composition the input and the output actions of ^0(5') coincide with 
those of S; an output n of Q.o {S) means that the message n is either a free output of S or it is removed 
from the output queue of S. The synchronization actions n^ of Q.o{S) express that the message n is put 
by S (more precisely by 5,^) in the queue. 

To define the asynchronous composition of two MIOs S and T , we assume again that S and T are 
composable. Then one can equip 5 with an output queue for those outputs 05 of S which can be received 
by T , i.e. which are shared actions. The other output actions of S remain free. Similarly T is equipped 
with an output queue for its shared output actions oj. Obviously, since S and T are composable, 0.os{S) 
and Q.oj{T) are composable as well. Hence, two composable MIOs S and T can be asynchronously 
composed by synchronously composing their extensions by output queues. 
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Definition 7 (Asynchronous composition). Let S, T be two composable MIOs and os = outs H if^T, ot = 
outj n ins- The asynchronous composition ofS and T is defined by S CiSias T = i^) ®iy (^)- 

We consider two composable MIOs S and T to be asynchronously compatible, if for each reachable 
state in S®as T, if the output queue of S is not empty, then T must be able to take (i.e. input) the next 
removable element of the queue possibly after some internal must-transitions, and conversely. Obviously, 
due to the use of output queues (instead of input queues), this idea can be easily formalized with the help 
of weak modal compatibility as defined in the synchronous case. 

Definition 8 (Asynchronous modal compatibility). Two MIOs S and T are asynchronously modally 
compatible, denoted by S T^ac T, if they are composable and if, for 05 = outs ^ inj, oj = outj n ins, 




out = {m} in = {m'^} 



m 




in = {n^} out = {n] 




n 




Figure 3: Example of asynchronously communicating MIOs 

As a simple example consider the two MIOs S and T depicted in Fig. [3] where input actions are 
marked with "?" and output actions with "!", i.e. ins = outj = {m} and outs = i^r = {n}- S has the tran- 
sitions starts — >^ — >starts, and T has the transitions startj — >t — ystartj. S and T are asynchronously 
compatible, since each communication partner must take the provided message after it has put its own 
issued message in its queue (which is an internal must-transition in Q.os{S) and Q.oj{T) resp.). Note 
that S and T are obviously neither strongly nor weakly modally compatible which shows the flexibility 
of the asynchronous compatibility concept. The other way round it is shown in lITOl that, under certain 
conditions like input separated states, weak compatibility implies asynchronous compatibility. 

The behaviour described by the asynchronous composition of MIOs coincides with the operational 
model of communicating finite state machines (CFSMs); see |8T|. In ||8l it is required that a system 
of CFSMs should be well-formed. One part of the well-formedness condition requires that executable 
receptions should be specified, which is just the strong version of the asynchronous compatibility notion 
used here. The other direction of the well-formedness condition requires that specified receptions should 
be executable. This corresponds to a kind of "input" compatibility which we have not considered here, 
since, in general, it would not be necessary that any service offered by a component must actually be 
used. Another difference to CFSMs is that we consider a binary (asynchronous) composition operator 
but allow open systems, while in the CFSM approach closed networks of CFSMs are considered. 

To obtain an interface theory with asynchronous composition we still have to choose an appropriate 
refinement notion. After a closer look it becomes obvious that refinement is not really related to the com- 
munication paradigm, since refinement concerns the vertical dimension of software development moving 
from abstract to more concrete abstraction levels, whereas composition is related to the horizontal dimen- 
sion where larger systems are constructed from smaller ones and where the underlying communication 
schema is crucial. Hence, we can simply reuse the powerful notion of weak modal refinement which 
leads to an interface theory for MIOs with asynchronous composition. 

Theorem 3. (i^as, ^m^^ac) cin interface theory. 
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Proof. The proof relies on the previous results for the synchronous case, since the asynchronous notions 
have been defined in terms of the synchronous ones. As a first observation, we show that for any two 
MIOs 5 and S' and for any subset o of output actions of S and of 5", 

s' <:„s^ao{s')<:„Qo{s). (I) 

Since weak modal refinement is compositional, by Thm.[2j S' <*, S implies S'(^sy Qo <m S(<S>sy Qo- Hence, 
by definition, a, {S') = C ^^sy Qo <*m ^,,y Qo = ^o (S) . 

We can now prove that the conditions (1) - (3) of an interface theory are satisfied. 

(1) Asynchronously compatible MIOs are, by definition, composable. 

(2) Compositionality of refinement: Assume that 5" <^ S, T' <^ T and that S ®as T is defined, i.e. S 
and T are composable. Since weak modal refinement <^ does not change signatures, S' and T' are 
composable as well, i.e. 5" (iSias T' is defined. 

We have to show that S' 0as T' < *, S 0as T which means, by definition, 

n,^, is') 0,, a,^, {T')<i {s) 0,y a,,{T) (H) 

where oy = outs' H inj' , oj' = outji n , 05 = outs H /nj- , and oj = outj n ins- First, S' <*, S implies 
that S and S' have the same signature; the same holds for T and T'. Therefore, 05/ = 05 and oj' = oj. 
By ^, S' <*, S and T' <*, T implies {S') <*, (5) and ^1^^ [T') (T), respectively. Then, 

(jn]) follows from compositionality of <*, w.r.t. synchronous composition see Thm.[2| taking into 
account oy = 05 and oj' = ot- 

(3) Preservation of compatibility under refinement: Assume that S T, S' <^ S and T' <*, T. By 
definition, S T means Q.ot{T)- From ^ we know that S' <*, S implies ^0^,(5") 
^osiS) and T' <*, T imphes D.„^{T') <l Q.o^{T). By Thm. [5} is preserved under <;„ and 
therefore ^0^,(5") ^ot{T')- Thus Hq^,, (5") <^„,c ^op{T'), since oy = 05 and oj' = oj as above. 
This means, by definition, S' T'. 

□ 

4 Conclusion 

We have studied interface theories based on modal I/O-transition systems (MIOs) with synchronous 
and with asynchronous composition. We have chosen MIOs as the underlying domain for interface 
specifications since they allow for a flexible refinement notion. In the synchronous case, if the underlying 
MIOs are finite, strong and weak refinement as well as strong and weak compatibility are decidable and 
can be efficiently checked with the MIO Workbench; see lH and |[T3l . In the asynchronous case, the 
buffering mechanism used for communication may lead to infinite state spaces. Concerning refinement 
it is, however, still possible to derive weak refinements between composed specifications with infinite 
state spaces, say 5" ®as T' <^ SiS>as T, from local refinements S' <*„ S and T' <*, T and the latter can 
be decided if the local MIOs are finite. This is an important consequence of the interface theory with 
asynchronous composition. The situation is different, if we consider the verification of asynchronous 
compatibility which is, in general, not decidable due to the potentially infinite output queues. We are 
currently working on criteria for asynchronous compatibility, which are decidable and powerful at the 
same time, and on the integration of such criteria into the MIO Workbench. As an outcome of our 
theoretical work, we want to apply the results to provide a solid basis for modelling hierarchical and 
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asynchronously communicating components in the context of the Unified Modeling Language (UML). 
At the same time we are also interested in interface theories for components with local data states 151 IH 
and for timed systems. 
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output queues (instead of input queues) for the formalization of asynchronous compatibility. We are 
grateful to Alexander for this very valuable hint. 
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